AIO Glossary Flashcards
A tool that sites between client systems and the back end services they call via API rwquests in order to serve as a reverse proxy for security and performance capabilities
API Gateway
A set of functions, routines, tools or protocols for building applications. An API allows for interaction between systems and applications that can be leveeraged by developers as building blocks for their applications and data access through a common method, without custom coding for each integration
Application Programming Interface (API)
An estimated number of the times a threat will successfully exploit a given vulnerability over the couse of a single year
Annualized Rate of Occurrence (ARO)
A threat modeling approach composed of Architecture, Threats, Attack Surfaces and Mitigations
ATASM
The ability to properly capture, analyze and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance and regulatory and contractual compliance
Auditability
The process of evaluating credentials presented by a user, application or service to prove its identity as compared to values already known and verified by the authentication system
Authentication
The process of granting or denying access to a system, network or application after successful authentication has been performed, based on approved criteria set by regulation
Authorization
Part of the change management process, which establishes an agreed upon standard configuration and the attributes that comprise it and forms the basis for managing change from that point forward
Baseline
A heavily fortified system that serves as a jumpbox or proxy between an untrsuted network and trusted networks
Bastion Host
The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or a disruption of service
Business Continuity
A process designed to identify risks, threats and vulnerabilities that could disrupt or impact services, with the intent of determining mitigation stratgies and response processes should they occur
Business Continuity Management
A developed and tested document, containing information from stakeholders and staff, for the continuation of operations and services in the event of a disruption or incident
Business Continuity Plan
A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or liklely extent of impact and disruption
Business Impact Analysis
The formal documentiation showing the chronological control and disposition of data or evidence, either physical or electronic. This documentation includes creation, all changes of possession and final disposition.
Chain of Custody
Federation
A group of IT service providers that interoperate based on an agreed upon set of standards and operations
An individual with a role in the change management process who ensures the overall change process is properly executed. This person also directly handles low levels tasks related to the change process
Change Manage
A software tool or service that sits between cloud resources and the clients or systems accessing them. It serves as a gateway that can perform a variety of security and policy enforcement functions. A CASB typically can consolidate and perform the functions of firewalls and web applications firewalls as well as provide authentication and data loss prevention capabilities
Cloud Access Security Broker
An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionalty of a local application with the accessibility of a web based application
Cloud Application
Cloud Application Management for Platforms (CAMP)
Within a PaaS implementation, CAMP servers as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise the platform, and the language describing the overall platform, its components and services and the metadata about it
An audit that is specifically responsible for conducting audits of cloud systems and cloud applications. The cloud auditor is responsible for assessing the effectiveness of cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used
Cloud Auditor
The process of using a cloud based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center
Cloud backup
A public or private cloud services organization that offers backup services to either the public or organizational clients, either on a free basis or using various costing models based on either the amount of data or number of systems
Cloud Backup Service Provider
Services that run within a public or private cloud offering backup solutions, either through client based software that does automatic or scheduled backups or through manual backups initiated by a user or system
Cloud Backup Solutions
An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider
Cloud Computing Reseller
A formally published guide by the Cloud Security Alliance that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture, The CCM also allows a cloud provider to structure its security approach
Cloud Controls Matrix (CCM)
An organization or individual that utilzies and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and gee based applications or solutions
Cloud Customer
The ability to move data between cloud providers
Cloud Data Portability
A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application. Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability and high availability can be achieved and maximized
Cloud Database
A partner that serves as an intermediary between a cloud service customer and a cloud service provider
Cloud Service Broker
A group of cloud services with a common set of features or qualities
Cloud Service Categoriy
On that holds a relation with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery
Cloud Service Partner
Common Criteria
A set of international guidelines and specifications for the evaluation of IT security resources to ensure that they meet an agreed upon set of security standards, specifically focused on government computing and security needs and requirements. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408
A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed and operated by one or more of the organizations in the community, a third party or some combination of these and it may exist on or off premises
Community Cloud
CaaS allows for the execution of compute intensive workloads to be performed in the cloud. Code can be executed in a serverless environment where the customer only pays for the computing time and cycles they consume, without the need for setting up server instances or environments.
Compute as a Service (CaaS)
Confidential computing is a paradigm that isolates the processing of data within protected CPU segments that are completely isolated from other users and systems
Confidential Computing
Establishing a controlled means of consistency throughout a systems lifecycle, based on its requirements and technical specifications, to properly ensure configuration controls, performance standards and design requirements
Configuration Management
A software package that contains all of the code, configuration, and libraries needed for an application to operate, packaged inside a single unit
Container
The process of taking logs from many different systems and putting them together based on a commonality in order to fully track a session or transaction
Correlation
A very common type of security vulnerability found with web applications, where an attacker can inject client side scripts into web pages that are then viewed and executed by other users.; The goal of XSS from an attackers perspective is to bypass the security controls of an application, such as an access control with a same origin policy
Cross Site Scripting
Data that resides on a system in persistent storage, such as disks, tapes, databases or any other type of storage device
Data at Rest (DAR)
The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service provured by the cloud customer
Data Dispersion
Serverless, managed data processing service offered by a cloud provider for the execution of data pipelines
Data Flow
Data that flows over a networked connection, either through public unsecured networks or internal protected corporate networks
Data in Transit
Data within a system or application that is currently being processed or is in use, either through the computing resources or residing in memory
Data in Use
An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of network or systems that are secured and protected. This can be related to the intentional attempt by user to transfer such information, but it also applies to preventing the accidental sending or leakage of data
Data Loss Prevention
The ability to easily move data from one system to another without having to re-enter it
Data Portability
A suite of tools used to monitor database operations and functions in real time in order to detect security concerns or anomalies
Database Activity Monitoring (DAM)
A subscription service where the database is installed, configured, secured and maintained by the cloud provider, the the cloud customer on responsible for loading their schema and data
Database as a Service (DBaaS)
A cloud based equivalent of a traditional virtual desktop interface (VDI) that is hosted and managed by a cloud provider rather than on hardware owned by the customer
Desktop as a Service (DaaS)
Combines software development with IT operations, with a goal of shortening the software development time and providing optimal uptime and quality of service
DevOps
Short for development, security and operations. The process of integrating security at all levels and stages of development and operations to fully ensure best practices and a focus on security
DevSecOps
Information that specifically applies to a unique individual such as name, address, phone number, email address, or unique identifying numbers of codes
Direct Identifier
A utility from VMware that balances computing demands and available resources within the virtualized environment
Distributed Resource Scheduler (DRS)
The testing of an application while it is in an operational state with currently running systems, applications and networks
Dynamic Application Security Testing (DAST)
The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization
Dynamic Optimization
A computing paradigm that is based on putting the processing of data and computing resources as close to the source of that data as possible
Edge Computing
The process for a criminal or civil legal case where electronic data is determined, located and secured to be used as evidence
eDiscovery
The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials or keys can access it
Encryption
An application that runs on a large and distributed scale and is deemed mission critical to a company or organization
Enterprise Application
A cloud based backup and recovery service that is related to and similar to those offered for personal use, but scaled and focsed on large scale and organizational level services
Enterprise Cloud Backup
Temporary, unstructured storage that is only used for a node or service while it is active and in use and the is destroyed upon being shut down or deleted
Ephemeral Storage
An action or situation that is recognized by software that then causes some action or response by the software to be taken
Event
A security standard published by the US federal government that pertains to the accreditation of cryptographic modules
FIPS 140-2
The use of a location technology such as WiFi, cellular networks, RFID tags, IP address locations or GPS to control access or behavior of devices
Geofencing
A physical device, typically a plugin card or an external device, that attaches to a physical computer. It is used to perform encryption and decryption of digital signatures, authentication operations and other services where cryptography is necessary
Hardware security modules (HSM)
Taking data of an arbitrary type, length or size and using a mathematical function to map the data to a value that is of a fixed size. Hashing can be applied to virtually any type of data object, text strings, documents, images, binary data and even virtual machine images
Hashing
The HITECH Act of 2009 provided incentives for health care providers to expand their use of tech, including the widespread adoption of electronic health record systems
Health Information technology for economic and clinical health act
The Health Insurance Portability and Accountability Act of 1996 requires the US department of health and human services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than specific technologies used, so long as they meet the requirements of the regulations
Health Insurance Portability and Accountability Act (HIPAA)
A hosted based intrusion detection system monitors the internal resources of a system for malicious attempts. It can also be used for packet inspection and network monitoring
Host Based Intrusion detection system
A cloud infrastructure composed of two or more distinct cloud infrastructure that remain unique entities but are bonded together by standardized or proprietary technology that enables data and application portability
hybrid cloud
A virtual machine manager that allows and ebales multiple virtual hosts to reside on the same physical host
Hypervisor
A subscription based service for Identity and Access Management and single sign on that is offered over the Internet versus deployed by the customer
Identity as a Service (IDaaS)
A system responsible for determining the authenticity of a user or system, thus providing assurance to a service that the identity is valid and known and possibly providing additional info about the identity of the user or system to the service provider requesting it
Identity Provider (IdP)
An event that could potentially cause a disruption to an organizations systems, services or applications
Incident
Pieces of information about an entity that cannot be used individually to identify that entity uniquely but can be used in combination to potentially do so. Examples include place of birth, race, employment history and educational history
Indirect Identifiers
A subset of digitial rights management that is focused on protecting sensitive information from unauthorized exposure or use
INformation Rights Management (IRM)
The capability provided to a consumer to provision processing, storage, networks and other fundamental computing resources in order to deploy and run arbitrary software, including OS and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OS< storage and deployed applications and possibly limited control of select networking components such as host firewalls
Infrastructure as a Service (IaaS)
A way of managing and provisioning infrastructure components through definition files, versus the traditional way of using configuration tools. Typically, admins maintain definition files that contain all the options and settings needed to deploy virtual machines or other pieces of a virtual infrastructure
Infrastructure as Code (IaC)
A method for monitoring an application while it is running and has processes interacting with it, continually scanning for any security vulnerabilities.
Interactive Application Security Testing (IAST)
The ease and ability to reuse components of a system or application regardless of the underlying system design and provider
Interoperability
A device, appliance, or software implementation that monitors servers, systems or networks for malicious activities
Intrusion detection system (IDS)
A network based appliance or software that examines network traffic for known exploits or any attempts to use exploits, and actively stop them or blocks attempts
Intrusion prevention system (IPS)
A formal specification for information security management systems that provides, through completion of a formal audit, certification from an accredited body for compliance, ISO/IEC 27001:2018 is the latest revision
ISO/IEC 27001 and 27001:2018
A collection of papers and concepts that lays out a vision for an IT Service Management (ITSM) framework for IT services and user support
IT Infrastructure Library (ITIL)
The authority to exert regulatory and legal control over a defined area of responsibility. Jurisdictions can overlap between the local, state/province, and national levels
Jurisdiction
A system or service that manages keys used for encryption within a system or application that is separate from the actual host system. The KMS will typically generate, secure and validate keys
Key Management Service (KMS)
A metric that provides quantitative value that can be sued to evaluate how effectively key business requirements are being met
Key Performance Indicator (KPI)
The process of collecting and preserving data as required by an official request from a legal authority
Legal Hold
A provider of IT services where the technology, software and operations are determined and managed away from the customer or user
Managed Service Provider
The process of aligning data values and fields with specific definitions or requirements
Mapping
A measure, typically in hours, of what the average time between failures is for a hardware component in order to determine its reliability
Mean Time Between Failures (MTBF)
A measure for hardware components of the typical or average time to repair a recover after a failure
Mean TIme to Repair (MTTR)
A cloud service thats delivered and billed for in a metered way
Measured Service
Data that gives additional descriptive information about other data. THis can be in the form of structural data that pertains to how the information is stored and represented, or it can be descriptive data that contains information about the actual content of the data
Metadata
Cloud based storage, typically used for mobile devices such as tablets, phones and laptops, that enables the user to access their data from any network location and across multiple devices in a uniform way
Mobile Cloud Storage
Mobile Device Management
MDM is an encompassing term for a suite of policies, technologies and infrastructure that enables an organization to manage and secure mobile devices that are granted access to its data across a homogenous environment. This is typically accomplished by installing software on a mobile device that allows the IT department to enforce security configurations and policies, regardless of whether its owned by the organization or is a private device owned by the user
Having multiple customers and applications running within the same environment but in a way that they are isolated from each other and not visible to each other, while still sharing the same resources
Multitenancy
A device placed at strategic places on a network to monitor and analyze all network traffic traversing the subnet and them compare it against signatures for known vulnerabilities and attacks
Network based intrusion detection system
Contains a set of rules that can be applied to network resources for the processing and handling of network traffic. The group contains info used to filter traffic based on the direction of traffic flow, source address, destination address, ports of both the source and destination and the protocols being used for transmission
Network Security Group
Title Security and Privacy Control for Federal Information Systems and Organizations NIST SP 800-53 provides a set of security controls for all systems under the US federal government, with the exception of systems dedicated to national security
NIST SP 800-53
The ability to confirm the origin or authenticity of data to a high degree of certainty
Non repudiation
A set of standards for protecting the national power grid and systems, specifically from a cyber security perspective
North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC/CIP)
A storage method used with IaaS where data elements are managed as objects rather than hierarchically with a file system and directory structure
Object Storage
The ability for a cloud customer to provision services in an automatic manner, when needed, with minimal involvement from the cloud provider
On Demand Self Service
An official ITIl term that relates to a specialized service level argeement (SLA) pertaining to internal parties of an organization, rather than between a customer and provider
Operational Level Agreement (OLA)
The automation of tasks within a public or private cloud that manages administration, workloads, and operations within the environment
Orchestration
The process of securely removing data from a system by writing blocks of randmo or opaque data on storage media to destory any previous data and make it unrecoverable
Overwriting
Process for Attack Simulation and Threat Analysis is a seven step method that is platform agnostic and combines business objectives, technical requirements and compliance for threat management
PASTA
An industry regulation that applies to organizations that handle credit card transactions. Rather than being a legal regulation passed by government authorities, it is enforced and administered by the credit card industry itself. The regulations are designed to enforce security best practices to reduce credit card fraud
Payment Card Industry Data Security Standard
The capability provided to the customer to deploy onto the cloud infrastructure any consumer created or acquired applications written using programming languages, libraries, services and tools supported by the provider. The customer does not manage or control the underlying infrastructure, including the network, servers, OS, and storage, but does have control over the deployed applications and possibly configuration settings for the application hosting environment
Platform as a Service
The ability of a system or application to seamlessly and easily move between different cloud providers
Portability
A specific type of analysis conducted by an organization that stores or processes sensitive and private data. The organization will evaluate its iternal processes for development and operations with an eye toward the protection of personal data throughout the entire lifetime of its possession and use
Privacy Impact Assessment (PIA)
A declaration published by the cloud service provider documenting its approach to data privacy. The cloud service provider implements and maintains the PLA for the systems it hosts
Privacy Level Agreement (PLA)
A cloud infrastructure provisioned for exclusive use by a single organization composed of multiple consumers. It may be owned, managed and operated by the organization, a third party, or some combination thereof, and it may exist on or off premises
Private Cloud
A special designation of data under United States law that encompasses any health related data that can be tied to an individual, including health status, healthcare services sought or provided, or any payment related to healthcare
Protected Health Information (PHI)
A cloud infrastructure provisioned for open use by the general public. It may be owned, managed and operated by a business, academic organization, or governmental organization, or some combination of both. It exists on the premises of the cloud provider
Public Cloud
Quantum computing involves the use of quantum phenomena, such as the interactions between atoms or wave movements, to aid in computation
Quantum Computing
A point of time in the past that an organization is willing to revert to in order to restore lost data or services following an interruption
Recovery Point Objective (RPO)
A defined maximum time duration for which an organization can accept the loss of data or services following an interruption
Recovery Time Objective (RTO)
A system or application that provides access to secure data through the use of an identity provider
Relying Party
A system for designing and implementing networked applications by utilizing a stateless, cacheable, client/server protocol, almost always via HTTP
Representational State Transfer (REST)
A key component of the change management process that involves a formal documented change request, including what change is needed, why it is needed, the urgency of the change and the impact if the change is not made
Request for Change (RFC)
The aggregation and allocation of resources from the cloud provider to serve the cloud customers
Resource Pooling
The ability of a cloud customer to recovery all data and applications from a cloud provider and completely remove all data from the cloud providers environment
Reversibility
Security technology and systems integrated into a system or application that enables it to detect and prevent attacks in real time
Runtime Application Self Protection (RASP)
The segregation and isolation of information or processes from others within the same system or application, typically for security concerns
Sandboxing
A computing system or application that processes data
Service
A document agreed upon between a customer and a service provider that defines and maps out minimum performance standards for a variety of contract requirements. An SLA typically includes minimum standards for processes, uptime, availability, security, auditing, reporting, customer srrvice and potentially many other requirements
Service Level Agreement (SLA)
An organization that provides IT services and applications to other organizations in a sourced manner
Service Provider (SP)
A system of providing IT applications and data services to other components through communications protocols over a network, independent of any particular technology, system, provider or implementation
Service Oriented Architecture (SOA)
This is a proven methodology for developing business driven risk and opportunity focused security architectures, at both the enterprise and solutions levels, that traceable support business objectives. It is widely used for information assurance architectures and risk management frameworks as well as to align and seamlessly integrate security and risk management into IT architecture methods and frameworks. SABSA is composed of a series of integrated frameworks, models, methods and processes and can be sued independently or as a holistic, integrated enterprise solution
Sherwood Applied Business Security Architecture
A messaging protocol that is operating system agnostic and used to communicate with other systems through HTTP and XML
Simple Object Access Protocol (SOAP)
The monetary value assigned to the occurrence of a single instance of risk or exploit to an IT service, application or system
Single Loss Expectancy (SLE)
Audit and accounting reports, focused on an organizations controls, that are employed when providing secure services to users
SOC 1/SOC 2/SOC 3
The capability provided to the customer to use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web rbwoser, or a program interface. The consumer does not manage or control the underlying infrastructure, including the network, servers, OS, storage and even individual application capabilities, with the possible exception of limited user specific application settings
Software as a Service (SaaS)
An automated process that scans a codebase to identify any code that is from an open source package or repo. It is crucial for both security and license compliance
Software Composition Analysis (SCA)
An approach to separate the network configurations for the control plane and the data plane. This allows an abstraction for network admins to configure and control those aspects of the network important to modern systems and applications without having to get involved with the actual mechanisms for forwarding network traffic
Software Defined Networking
A defined period of time for development to be accomplished with running list of deliverables that are planned one sprint in advance
Sprint
A method used by malicious actors to insert SQL Statements into a data driven application in various input fields, attempting to get the application to access arbitrary code and return the results to the attacker. This could include attmpets to access a full database or the protected data within it or to modify or delete data
SQL Injection
Security testing of applications by analyzing their source code, binaries and configurations. This is done by tested who have an in depth knowledge of systems and applications, with the testing performed in a nonruninng state
Static Application Security Testing
One or more cloud customers who share access to a pool of resources
Tenant
An open enterprise architecture model intended to be a high level approach that design teams can use to optimize success, efficiency and returns throughout a systems lifecycle
The Open Group Architecture Framework
The process of replacing and substituting secured or sensitive data in a data set with an abstract or opaque value that has no use outside of the application
Tokenization
An evaluation of the content of data packets flowing into and in some cases, out of a network
Traffic Inspection
A program or application used to trick a user or administrator into executing an attack by disguising its true intention
Trojan
The security concept of separating systems and data into different levels (or zones) and applying security methods and practices to each zone, based on the requirements of that particular group of systems. In many instances, zones of a higher degree of trust may access those with a lower degree, but not vice versa
Trust Zone
The optimization of a cloud computing resources for a particular stack or vertical, such as a specific type of application or system, or by a particular industry sector or need
Vertical Cloud Computing
A computing environment that is a software implantation running on a host system, versus a physical hardware environment
Virtual Host or Virtual Machine
A VPN facilitates the extension of a private network over public networks, and it enables a device to operate as if it were on the private network directly. A VPN works by enabling an encrypted point to point connection from a device into a private network, typically through software applications, but this also can be done via hardware accelerators
Virtual Private Network
A type of rootkit installed in a virtualized environment between the underlying host system and the virtual machine. It is then executed and used when the virtual machine is started. A VM based rootkit is very difficult to detect in an environment, but its also very difficult to successfully implement
VM based rootkit
A more typical or standard file system used with IaaS that provides a virtual partition or hard disk to a virtual machine. It would be used just like a traditional hard drive, with file system, folders, and file organization methods
Volume Storage
A traditional development methodology where projects are divided into phases that must be fully developed, tested, approved, and implemeted before moving onte the next phase
Waterfall
An appliance of software plug in that parses and filters HTTP traffic from a browser or client and then applies a set of rules before the traffic is allowed to proceed to the actual application server
Web Application Firewall (WAF)
A web based application that provides tools, reporting and visibility for a user into multiple systems. In a cloud environment, a web portal provides metrics and service capabilities to add or expand for the customer to consume
Web Portal
An appliance implemented within a network to secure and manage XML traffic. it is particularly used within a cloud environment to help integrate cloud based systems with those still residing in traiditonal data centers
XML appliance
